<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/**************************************************************************
 *
 *   Copyright 2010 American Public Media Group
 *
 *   This file is part of AIR2.
 *
 *   AIR2 is free software: you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation, either version 3 of the License, or
 *   (at your option) any later version.
 *
 *   AIR2 is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with AIR2.  If not, see <http://www.gnu.org/licenses/>.
 *
 *************************************************************************/

/**
 * Air Query Authorization Library
 *
 * Contains methods to add authorization restrictions on a Doctrine Query based
 * on the permissions set for the remote user.
 *
 * @author rcavis
 * @package default
 */
class AirQauthz {
    private $ctrlr = null; // cached reference to the calling controller
    private $authz_obj = array();


    /**
     * Constructor - cache a reference to the controller
     *
     * @param assoc-array $params optional keys are ('authz_obj')
     */
    public function AirQauthz($params=null) {
        $this->ctrlr =& get_instance();
        if (isset($params['authz_obj']))
            $this->authz_obj = $params['authz_obj'];
    }


    /**
     * Add authorization restrictions to a query
     *
     * @param AIR2_Query $q (reference) query to alter
     */
    public function add_authz(&$q) {
        // trigger the internal DQL parser
        $q->getSqlQuery(array(), false);

        // get the query parts
        $comps = $q->getQueryComponents();
        foreach ($comps as $alias => $info) {
            $t = $info['table']->getClassnameToReturn();
            // only apply authz to the parent table, not any that are JOINed.
            // TODO authz tests around this.
            // fixes case for project/xxxxxxx where related submissions
            // have leftJoin to Source and Inquiry which results in authz filter
            // being applied twice to $q, resulting in broken SQL.
            // see Trac #1471.
            $is_child = isset($info['parent']);
            if ($is_child) {
                continue;
            }
            // query_may_read defined in AIR2_Record so every model has it.
            //Carper::carp("before query_may_read: " . $q->getSqlQuery() . var_export($q->getParams(), true));
            //Carper::carp("query_may_read for $t based on $alias");
            call_user_func(array($t, 'query_may_read'), $q, $this->ctrlr->airuser->get_user(), $alias);
            //Carper::carp("after  query_may_read: " . $q->getSqlQuery() . var_export($q->getParams(), true));
        }
    }


}
